Digital publishing involves collecting and processing personal data to improve content distribution, targeting and personalization.
This data processing may subject publishers to comply with the California Consumer Privacy Act (CCPA) or the General Data Protection Regulation (GDPR), two laws that derive from California and Europe, but affect businesses wherever they are based in the world if they handle data belonging to consumers in either territorial jurisdiction.
Even if you already comply with one of these laws, key differences in their scope and measures mean you need to understand both sets of rules to avoid potentially falling foul of the law and, in the process, risk steep financial penalties.
The Basics: GDPR
The GDPR came into force in May 2018, and is based in the European Economic Area (EEA). In simple terms, the GDPR applies to any personal data processing in which:
• the data is about somebody in an EEA country;
• the business processing or controlling the data is in an EEA country;
• the data processing takes place in an EEA country.
The GDPR upholds a series of rights for individuals regarding the handling of personal data. For example, it requires businesses to get meaningful consent before collecting and processing personal data.
The Basics: CCPA
The CCPA takes effect on January 1, 2020. It’s a California state law, but its scope affects businesses throughout the U.S. and beyond, applying to any business that targets California residents (defined under the law as consumers).
Under the CCPA, a “business” meets any of these three thresholds:
• has an annual revenue of $25 million or more;
• processes, buys, or sells data relating to more than 50,000 individuals, households or devices in one year; or
• makes at least half of its revenue from selling personal data.
Note that the precise wording of the law doesn’t say these revenue or data thresholds only count activity in California.
In short, the CCPA upholds a series of rights for Californians, including the right to know how their data is collected and processed, and to object to it being sold.
Although the CCPA and GDPR are similar at the basic level, there are key differences you need to know.
Key Difference #1: Definitions
It’s important to understand the differences between these laws — down to how they define terms — to avoid assuming that complying with one is automatically enough to comply with the other.
For example, the GDPR defines personal data as “any information which [is] related to an identified or identifiable natural person.”
The CCPA defines personal information as “information that identifies, relates to, describes, is capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household.”
The differences are subtle, but the simplest way to understand them is that the GDPR’s definition is broad, but the CCPA’s is broader. Two key differences are:
• The CCPA applies to households, rather than just individuals.
• The CCPA explicitly applies to information a business has inferred rather than just collected. For example, if a business puts a customer in an “impulse buyer” category based on a pattern of previous orders, that’s inferred information.
Another difference is that the GDPR classifies all activity involving data as processing, while the CCPA has slightly different rules depending on whether a business is collecting, processing, or selling data.
While the CCPA doesn’t require prior consent to process data, the GDPR says businesses must get consent that is “freely given, specific, informed and unambiguous.” This means users must actively signal consent, so you can’t rely on an opt-out button or a pre-ticked consent box.
Finally, the GDPR defines data processors and data controllers — the former being the organization that physically processes data, and the latter being the organization that decides what processing happens.
In technical terms, the processor is responsible for complying with the GDPR, while the controller is responsible for making sure the processor complies. In practice, a business can be affected by the GDPR even if it outsources data processing.
Key Difference #2: New User Rights
Both laws enforce a series of rights for users including:
• To know what personal information you collect about them.
• To access the personal information you’ve collected.
The GDPR adds in some other rights, such as:
• To stop you from processing their personal information. (Remember that processing includes collection. Unlike with the CCPA, this right extends to businesses needing to get meaningful consent before collecting data).
• To correct errors in their personal information.
• To ask you to delete their personal information. (This isn’t an unlimited right, as it’s balanced against the right to free speech. Courts may consider the age of the information, its relevance, and whether the person is a public figure).
• To get their personal information transferred elsewhere (data portability).
• To limit the way you make automated decisions using their personal information.
Meanwhile, the CCPA specifies some other rights, including:
• To know if you sell or disclose their personal information.
• To exercise their privacy rights without you discriminating against them in price or service.
Key Difference #3: Penalties for non-compliance
The GDPR is enforced by data protection authorities in each member state of the EEA. These authorities can issue a maximum penalty of €40 million or 4% of your worldwide annual revenue, whichever is higher.
The CCPA is enforced by the state’s office of the Attorney General. If a business doesn’t rectify a breach of the law within 30 days, it faces a maximum penalty of $7,500 per violation (that is, per person affected).
If a security breach exposes personal data, individuals (through the Attorney General) can sue for a maximum of $750 per affected individual, or for actual damages suffered, whichever is higher.
While the GDPR and the CCPA will both affect the way you use personal data, neither is an insurmountable challenge for digital publishers.
The key to compliance is to get a solid grip on how you collect and use data. Although the broad principles of the laws are similar, don’t assume that complying with one law means that you don’t need to pay attention to the other.
To recap what you need to do to comply with the two laws:
• Check whether you fall under the scope of the GDPR or the CCPA, and whether this is likely to change in the future.
• Keep track of what data you collect about individuals.
• Check whether you have any relationships with data processors (such as advertisers or ad networks) that make you a data controller under the GDPR.
• Get meaningful, active consent before processing data if you fall under the scope of the GDPR.
• Explain the consequences of opting-out of data processing (e.g., seeing less relevant ads).
• Have a Do Not Sell My Personal Information page with opt-out-of-sale information if you’re subject to the CCPA.
• Make sure you have processes to deal with data access requests, and address any requests promptly.
Given the advertising and digital publishing industry’s reliance on consumer data, you’re likely to be subject to one or both of these laws.
Furthermore, the CCPA and the GDPR are only setting the foundation for a new era of data privacy legislation. If you haven’t taken steps to comply already — you need to do so now.
Karilyn J Dearie, product specialist & privacy consultant, Termly
About: Termly is a software service that helps businesses, websites, and mobile apps build and implement privacy law compliance solutions. The company offers free legal policy generators, such as privacy policies and terms and conditions.